Using Signal Sciences with Kubernetes

One of the questions I hear regularly from customers is how to include Signal Sciences with some of the new technologies they are using to autoscale their environment. Containerization is an initiative that is being talked about regularly by customers across industry verticals. While the whole concept is great for providing new levels of economies of scale, redundancy and enabling CI/CD (Continuous Integration/Continuous Deployment), it can be a tricky thing to do in practice if your company has not moved over to this model. Not only do you need to potentially retrofit your application, or applications, to fit this model, you also need to ensure the technologies that secure your environment also work with it.

With the simple deployment model of our architecture it is very easy to include our components as part of the container running your application whether this is Apache, NGINX, PHP, Java, Node.js, or others. This article will walk you through how you can do this with Kubernetes in a fashion that will allow you to autoscale our WPP (Web Protection Platform) with your application deployment in Kubernetes.

Step 1: Creating the Docker Container

In order to be able to deploy something to Kubernetes we will need an initial Docker container to specify in the Kubernetes deployment. There is an example Docker container configuration at https://github.com/signalsciences/SigSciDockerExample. This repo also contains yaml files of the Deployment, Service, and Pods that get created as we walk through the process.

First, let’s take a look at the Dockerfile and understand some of the elements of what is going on.

With the copy command we are putting the repo information in place for apt in order to be able to automatically pull the Signal Sciences Agents and Modules.

Note: I like to have the tag be the versions of items I’m interested in, and I use this as a version control method. For example the tag 1.14.4–1.4.6 means SigSci-Agent-1.14.4 and SigSci-ApacheModule-1.4.6

Step 2: Creating your Kubernetes Deployment

Believe it or not, the hardest part is now done. We new have a container that has Apache2 with the Signal Sciences module installed and the Signal Sciences agent. This container will be added into a pod within in Kubernetes. Anytime this pod is brought up all three components will be there which simplifies the deployment of Signal Sciences. Generally whenever you update your Apache2 container, the Signal Sciences components will also automatically be updated!

First lets log into your Kubernetes cluster and create a new application. All of these steps can also be performed via the command line using the Kubectl.

In the Create an App view you can either import one of the provided yaml files or input things manually. If you do import one of the YAML files you will need to update the environment variables for SIGSCI_ACCESSKEYID and SIGSCI_SECRETACCESSKEY to be the correct ones for your deployment.

That’s it! You can hit deploy and see the deployment kick off. Once it is ready you can pull up the Kubernetes service information and try hitting the webpage.

Go to Services -> sigsci-apache-ubuntu1604 and under connections you will see the information about available endpoints.

If you hit the URL on the listening port you should now see:

After that check out the Agent information view in the Signal Sciences dashboard. You will see the name of the pod followed by the docker id. This is the hostname as reported back via the container within the guest.

Step 3: Scaling:

Scaling is straightforward and easy to do using kubectl.

kubectl scale deployment sigsci-apache-ubuntu1604 — replicas 3

This will cause three more pods to be brought up:

If we check out the agent page we’ll see two new instances, the original plus two more.:

Conclusion:

One of the biggest challenges for security practitioners is actually getting visibility into everything that is happening within your environment. Being able to include Signal Sciences as part of a template in your container build process helps fill in the gap of covering your web applications. As you deploy new web applications or scale existing ones by including our WPP, you know that they will be protected from day one. There are definitely different ways you can create the Docker container but this gives you an example to get you started on your way!

We would be happy to show you how Signal Sciences can help you, just click request a demo below and we will contact you right away.